GoDaddy took down 15,000 subdomains used in online scams. Online spam campaigns targeted users using fake celebrity endorsements to sell fake products like miracle weight loss cures. Celebrities used in the scams included Stephen Hawking, Blake Shelton, the Shark Tank TV show, etc.
Researchers at Palo Alto Networks worked alongside GoDaddy to identify thousands of compromised servers and domains being used in the spam campaigns. Jeff White, at Palo Alto Networks, discovered unique insights and patterns the spam campaigns presented in the two-year investigation.
Each spam campaign followed similar steps threat actors used to deceive users. Spam campaigns appear in emails, random hijacked Skype messages, Facebook ads, and Twitter posts. White found that the campaigns followed the following the steps. First, a phishing email was sent to victims. The email claims that researchers or doctors have found a miracle cure, which a celebrity has tried and been cured. Once the user clicks on a link, the URL brings the user to a fake domain; which resembles a legitimate website like Forbes or TMZ.
The fake domains give an option to purchase the illegitimate products. Many users buy into the scam, giving their credit card information. Some scammers even sent out sample products to victims. Additionally, some spam services begin charging victims in a monthly subscription service. Unfortunately, the subscriptions are hard to get out of because the companies selling the products do not pick up phone calls or reply to emails.
Each false advertisement contained other false advertisements within them. White commented in his report:
“These landing pages do nothing more than attempt to elicit a click from the viewer. Every single link, “contact us” button, Facebook like, Twitter re-tweet, etc all point to the same resource – another PHP script which handles the redirection to the “miracle cure” sales page”
Further, White found that thousands of subdomains were abusing GoDaddy services. Since the discovery, White worked alongside GoDaddy’s Threat Intelligence team to identify and shutdown 15,000 subdomains. GoDaddy has since reset passwords for all compromised accounts and has notified impacted users since the discovery.
The company has since stated:
“GoDaddy takes the security of our network and our customers’ accounts very seriously, and we’ll continue to collaborate with the security community to identify and resolve these types of attacks.”
Image credits: Palo Alto Networks
If you believe you organization is at risk, contact LIFARS for penetration testing services